System and method for activating a rendering device in a multi-level rights-management architecture

ABSTRACT

A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and filly-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content. The client components include an object which accesses encrypted content, an object that parses the license and enforces the rights in the license, an object which obtains protection software and data that is individualized for the client and/or the persona operating the client, and a script of instructions that provides individualization information to a distributor of content so that the content may be individualized for the client and/or its operating persona. Content is generally protected by encrypting it with a key and then sealing the key into the content in a way that binds it to the meta-data associated with the content. In some instances, the key may also be encrypted in such a way as to be accessible only by the use of individualized protection software installed on the client, thereby binding use of the content to a particular client or set of clients.

FIELD OF THE INVENTION

The present invention relates generally to distribution of electroniccontent, and, more particularly, to systems and methods for enabling theuse of certain protected content by a client in a rights-managementarchitecture that supports multiple levels of security.

BACKGROUND OF THE INVENTION

As the availability and use of computers and palm-sized electronicdevices has increased, it has become common for documents to betransmitted and viewed electronically. With improvements in the speedand facility of communication over infrastructures such as the Internet,there is a tremendous drive to provide enhanced services and content tothe devices. Examples of services and content that may be provided areauthored works, such as books or other textual material. Electronicdistribution of text documents is both faster and cheaper thanconventional distribution of paper copies. The same principle applies tonon-text content, such as audio and video: electronic distribution ofsuch content is generally faster and cheaper than the delivery of suchcontent on conventional media (e.g., magnetic tape or optical disk).However, the low cost and instantaneity of electronic distribution, incombination with the ease of copying electronic content, is at odds withcontrolled distribution in a manner that protects the rights of theowners of the distributed works.

Once an electronic document is transmitted to one party, it may beeasily copied and distributed to others without authorization by theowner of rights in the electronic document or, often, without even theowner's knowledge. This type of illicit document distribution maydeprive the author or content provider of royalties and/or income. Aproblem with many present delivery schemes is that they may make noprovisions for protecting ownership rights. Other systems attempt toprotect ownership rights, but however, are cumbersome and inflexible andmake the viewing/reading of the authored works (or otherwise renderingthe authored works, in the case of non-text content such as music,video, etc.) difficult for the purchaser.

Thus, in view of the above, there is a need for an improved digitalrights management system that allows of delivery of electronic works topurchasers in a manner that protects ownership rights, while also beingflexible and easy to use. There is also a need for the system thatprovides flexible levels of security protection and is operable onseveral client platforms such that electronic content may beviewed/rendered by its purchaser on each platform. The digital rightsmanagement system of the present invention advantageously providessolutions to the above problems which protect the intellectual propertyrights of content owners and allow for authors or other content ownersto be compensated for their creative efforts, while ensuring thatpurchasers are not over-burdened by the protection mechanism.

SUMMARY OF THE INVENTION

An architecture for a content-rendering client in a digital rightsmanagement (“DRM”) system is provided. The architecture includes arendering application (e.g., a text-viewing application or “reader”)which renders content protected by the DRM system. The architecture alsoincludes various security features that guard against unauthorizeddistribution or use of protected content, as well as software componentsthat navigate the security features to allow content to be rendered inan appropriate client environment.

In accordance with the architecture provided, content may be protectedat a plurality of levels, including: no protection, source sealed,individually sealed (or “inscribed”), source signed, and fullyindividualized (or “owner exclusive”). “No protection” content isdistributed in an unencrypted format. “Source sealed” and “individuallysealed” content is encrypted and bundled with an cryptographic key (the“content key”) that is cryptographically sealed with certainrights-management data associated with the content, such that the keycannot be retrieved if the rights-management data has been altered. Thedistinction between “source” and “individual” sealing is that“individually sealed” content includes in the rights-management datainformation pertinent to the rightful owner (e.g., the owner's name,credit card number, receipt number or transaction ID for the purchasetransaction, etc.), such that this information cannot be removed from aworking copy of the content, thereby allowing for detection ofunauthorized distributors. The particular type of information includedis determined by the retailer of the copy. “Signed” content iscryptographically signed in such a way that the rendering applicationcan verify its authenticity, or the authenticity of its distributionchannel. “Fully individualized” content is encrypted content providedwith a decryption key that has not merely been sealed with therights-management information, but also encrypted in such a way that itcannot be accessed in the absence of a “secure repository” and“activation certificate,” which are issued only to a particular clientor set of clients, thereby limiting the use of such content to a finitenumber of installations. “Fully individualized” content also includes alicense, which specifies the rights that a user may exercise withrespect to the content.

In one embodiment of the invention, the client is used for reading booksor text, which are distributed to the client in a file having protectionas described above. Preferably, the client software and data relating tothe protection and use of the content includes: the renderingapplication (called the “reader” in the case where the content is text);a “management” component that performs unsealing of protected contentand certain other cryptographic functions; a software object thatprovides to content distributors information such as the installationand/or “activation” status of the reader application, as well asinformation about the “activation” certificate that is needed by thedistributor in order to prepare “fully individualized” content whosedecryptability is limited to a certain set of readers; and an“activation” software object that performs the function of obtaining asecure repository and activation certificate for installation on theclient. Preferably, the activation software object is embodied as anACTIVEX control, and the object that provides information tocontent-distribution sites is embodied as an ACTIVEX and/or browserplug-in wrapped in one or more Java script functions. Additionally, itis preferable that the management object be operable by the readerapplication through an API exposed to the reader application.

Preferably, the content key of fully individualized content is encryptedaccording to a public/private key pair associated with a particularactivation certificate, and a copy of the activation certificate may beprovided to various client devices owned or used by a particular person(or “persona”), such that one person can read the same “fullyindividualized” content on plural devices owned by that person, whereasother people who own similar devices cannot read that same “fullyindividualized” content because the necessary activation certificatewill not be issued to those persons, thereby limiting the disseminationof fully individualized content.

Other features of the invention are described below.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing summary, as well as the following detailed description, isbetter understood when read in conjunction with the appended drawings.For the purpose of illustrating the invention, like references numeralsrepresent similar parts throughout the several views of the drawings, itbeing understood, however, that the invention is not limited to thespecific methods and instrumentalities disclosed. In the drawings:

FIG. 1 is a block diagram showing an exemplary computing environment inwhich aspects of the present invention may be implemented;

FIG. 2 is a block diagram of a first embodiment of a client architectureimplementing aspects of a digital rights management system in accordancewith the invention;

FIG. 3 is a block diagram of a second embodiment of a clientarchitecture implementing aspects of a digital rights management systemin accordance with the invention;

FIG. 4 is an exemplary electronic book (eBook) title file format;

FIG. 5 is a flow diagram illustrating a reader activation process; and

FIG. 6 is a flow diagram illustrating exemplary processes of selecting,obtaining and reading an eBook using a digital rights management systemaccording to the invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention is directed to a system for processing anddelivery of electronic content wherein the content may be protected atmultiple levels. A preferred embodiment of the invention is described,which is directed to the processing and delivery of electronic books,however, the invention is not limited to electronic books and mayinclude all digital content such as video, audio, software executables,data, etc.

Overview

The success of the electronic book industry will undoubtedly requireproviding the existing book-buying public with an appealing, secure, andfamiliar experience to acquire all sorts of textual material. Thismaterial may include “free” or low-cost material requiring little copyprotection, to “premium-quality” electronic book titles (herein“eBooks”) requiring comprehensive rights protection. In order to enablea smooth transition from the current distribution and retail model forprinted books into an electronic distribution system, an infrastructuremust exist to ensure a high level of copy protection for thosepublications that demand it, while supporting the distribution of titlesthat require lower levels of protection.

The Digital Rights Management (DRM) and Digital Asset Server (DAS)systems of the present invention advantageously provides such aninfrastructure. The present invention makes purchasing an eBook moredesirable than “stealing” (e.g., making an unauthorized copy of) aneBook. The non-intrusive DRM system minimizes piracy risk, whileincreasing the likelihood that any piracy will be offset by increasedsales/distribution of books in the form of eBooks. In addition, thepresent invention provides retailers with a system that can be rapidlydeployed at a low-cost.

The primary users of the system are publishers and retailers, who useand/or deploy the system to ensure legitimacy of the content sold aswell as copy protection. Exemplary users of the system may be thetraditional publisher, the “leading edge” publisher, and the “hungryauthor.” The traditional publisher is likely to be concerned aboutlosing revenue from their printed book publishing operation to eBookpiracy. The leading edge publisher is not necessarily concerned withisolated incidents of piracy and may appreciate that eBooks commercewill be most successful in a system where consumers develop habits ofpurchase. Meanwhile, the hungry author, who would like to collect moneyfor the sale of his or her works, is more interested in attribution(e.g., that the author's name be permanently bound to the work).

As will be described in greater detail below, the DRM System of thepresent invention accomplishes its goals by protecting works, whileenabling their rightful use by consumers, by supporting various “levels”of protection. At the lowest level (“Level 1”), the content sourceand/or provider may choose no protection via unsigned and unsealed(clear-text) eBooks that do not include a license. A next level ofprotection (“Level 2”) is “source sealed,” which means that the contenthas been encrypted and sealed with a key, where the seal is made using acryptographic hash of the eBook's title's meta-data (see below) and thekey is necessary to decrypt the content. Source sealing guards againsttampering with the content or its accompanying meta-data after the titlehas been sealed, since any change to the meta-data will render the titleunusable; however, source sealing does not guarantee authenticity of thea copy of the title (i.e., source sealing does not provide a mechanismto distinguish legitimate copies from unauthorized copies). In the caseof the “hungry author,” the author's name may be included in themeta-data for permanent binding to the content, thereby satisfying the“hungry author's” goal of attribution. A next level of protection(“Level 3”) is “individually sealed” (or “inscribed”). An “individuallysealed” title is an eBook whose meta-data includes information relatedto the legitimate purchaser (e.g., the user's name or credit cardnumber, the transaction ID or receipt number from the purchasetransaction, etc.), such that this information is cryptographicallybound to the content when the title is sealed. This level of protectiondiscourages people from distributing copies of the title, since it wouldbe easy to detect the origin of an unauthorized copy (and any change tothe meta-data, including the information related to the purchaser, wouldmake it impossible, or at least improbable, that the necessarydecryption key could be unsealed).

The next level of protection (“Level 4”) is “source signed.” Sourcesigned eBooks are titles that can be authenticated by a “reader” (which,as more particularly discussed below, is a user application that enablesthe reading of eBooks on a computing device, such as a PC, a laptop, aPersonal Digital Assistant (PDA), PocketPC, or a purpose-built readingdevice). Authenticity may preferably be defined in three varieties:“tool signed,” which guarantees that the eBook title was generated by atrusted conversion and encryption tool; “owner signed,” which is a toolsigned eBook that also guarantees the authenticity of the content in thecopy (e.g., the owner may be the author or other copyright holder); and“provider signed,” which is a tool signed eBook that attests to theauthenticity of its provider (e.g., the publisher or retailer of thecontent). The “tool,” the owner, and the provider may each have theirown asymmetric key pair to facilitate the creation and validation ofdigital signatures of the information. A title may be both providersigned and source signed, which facilitates authentication of thedistribution channel of the title (e.g., through a signature chain inthe copy). The strongest level of protection is “fully individualized”or “owner exclusive” (“Level 5”). “Fully individualized” titles can onlybe opened by authenticated reader applications that are “activated” fora particular user, thereby protecting against porting of a title fromone person's reader (or readers) to a reader that is not registered tothat person. In order for the reader of the present invention to open atitle protected at Level 5, the Reader must be “activated” (i.e., thedevice on which the reader resides must have an activation certificatefor a particular persona, and a secure repository). The process ofActivation will be described in greater detail below with reference toFIG. 5.

The systems of the present invention also define an architecture forsharing information between a reader, a content provider and a contentsource, how that information is used to “seal” titles at the variouslevels, and how that information must be structured. The availability ofthese choices will enable content sources to pick and choose whichcontent will be sold to what users and using what protection (if any).The particular information may be used to sign and/or seal titles foruse by a reader, and a compatible reader (which, in the case of level 5,may be a reader activated for a particular persona) may unseal the titleand enable reading of the eBook.

System Architecture

As shown in FIG. 1, an exemplary system for implementing the inventionincludes a general purpose computing device in the form of aconventional personal computer or network server 20 or the like,including a processing unit 21, a system memory 22, and a system bus 23that couples various system components including the system memory 22 tothe processing unit 21. The system bus 23 may be any of several types ofbus structures including a memory bus or memory controller, a peripheralbus, and a local bus using any of a variety of bus architectures. Thesystem memory includes read-only memory (ROM) 24 and random accessmemory (RAM) 25. A basic input/output system 26 (BIOS), containing thebasic routines that help to transfer information between elements withinthe personal computer 20, such as during start-up, is stored in ROM 24.The personal computer or network server 20 may further include a harddisk drive 27 for reading from and writing to a hard disk, not shown, amagnetic disk drive 28 for reading from or writing to a removablemagnetic disk 29, and an optical disk drive 30 for reading from orwriting to a removable optical disk 31 such as a CD-ROM or other opticalmedia. The hard disk drive 27, magnetic disk drive 28, and optical diskdrive 30 are connected to the system bus 23 by a hard disk driveinterface 32, a magnetic disk drive interface 33, and an optical driveinterface 34, respectively. The drives and their associatedcomputer-readable media provide non-volatile storage of computerreadable instructions, data structures, program modules and other datafor the personal computer or network server 20. Although the exemplaryenvironment described herein employs a hard disk, a removable magneticdisk 29 and a removable optical disk 31, it should be appreciated bythose skilled in the art that other types of computer readable mediawhich can store data that is accessible by a computer, such as magneticcassettes, flash memory cards, digital video disks, Bernoullicartridges, random access memories (RAMs), read-only memories (ROMs) andthe like may also be used in the exemplary operating environment.

A number of program modules may be stored on the hard disk, magneticdisk 29, optical disk 31, ROM 24 or RAM 25, including an operatingsystem 35 (e.g., Windows® 2000, Windows NT®, or Windows 95/98), one ormore application programs 36, other program modules 37 and program data38. A user may enter commands and information into the personal computer20 through input devices such as a keyboard 40 and pointing device 42.Other input devices (not shown) may include a microphone, joystick, gamepad, satellite disk, scanner or the like. These and other input devicesare often connected to the processing unit 21 through a serial portinterface 46 that is coupled to the system bus 23, but may be connectedby other interfaces, such as a parallel port, game port, universalserial bus (USB), or a 1394 high-speed serial port. A monitor 47 orother type of display device is also connected to the system bus 23 viaan interface, such as a video adapter 48. In addition to the monitor 47,personal computers typically include other peripheral output devices(not shown), such as speakers and printers.

The personal computer or network server 20 may operate in a networkedenvironment using logical connections to one or more remote computers,such as a remote computer 49. The remote computer 49 may be anotherpersonal computer, another network server, a router, a network PC, apeer device or other common network node, and typically includes many orall of the elements described above relative to the personal computer20, although only a memory storage device 50 has been illustrated inFIG. 2. The logical connections depicted in FIG. 2 include a local areanetwork (LAN) 51 and a wide area network (WAN) 52. Such networkingenvironments are commonplace in offices, enterprise-wide computernetworks, Intranets and the Internet.

When used in a LAN networking environment, the personal computer ornetwork server 20 is connected to the local network 51 through a networkinterface or adapter 53. When used in a WAN networking environment, thepersonal computer or network server 20 typically includes a modem 54 orother means for establishing communications over the wide area network52, such as the Internet. The modem 54, which may be internal orexternal, is connected to the system bus 23 via the serial portinterface 46. In a networked environment, program modules depictedrelative to the personal computer or network server 20, or portionsthereof, may be stored in the remote memory storage device 50. It willbe appreciated that the network connections shown are exemplary andother means of establishing a communications link between the computersmay be used.

Client Architecture

Referring now to FIG. 2, there is illustrated a first exemplary clientarchitecture 90 in accordance with the present invention. The clientarchitecture 90 may be implemented on the personal computer 20 of FIG. 1or other appropriate computing device, such as a palm-sized computer,laptop computer, or closed device that is purpose-built for readingeBook titles. Client architecture 90 includes a reader shell 92 (or“reader 92”) for reading the eBook titles 10 and a web browser 102(e.g., the MICROSOFT® INTERNET EXPLORER browser) for contactingRetailer/Distributor sites. A cryptographic transform is provided, whichmay be a plug-in for an Information Technology Storage System (ITSS) 5.296. The cryptographic transform is a software component that will unsealthe content key and decrypt the content stream coming out of the eBookfile or “LIT file” 10 (shown in FIG. 4). The cryptographic transform ispreferably implemented as an extension to existing ITSS 96 code beingused by the Reader 92 for LIT files 10. This extension is instantiatedwhenever encrypted content is accessed. A Bookplate API 94 is providedwhich returns the purchaser's name (or other information related to thepurchaser) from the cryptographically hashed Bookplate stream 14C insidethe DRM Storage object 14 of each title 10 (e.g., in the case ofindividually sealed titles that include the purchaser's name or otheridentifying information in their meta-data). The string returned by thisfunction may be used on the book cover page 100 to identify the rightfulowner of the title 10; an example, in which the string is the user'sname, is depicted in FIG. 2. If the user clicks on the name displayed(or taps, in the case of touch-screen devices) or a CopyrightNotice/Icon on the cover page, a dialog-box emphasizing the copyrightednature of the publication may be rendered. Local store 98 is preferablya directory or folder where eBooks may be stored. (As discussed below inconnection with FIG. 4, eBook 10 is a file containing the content of thebook, as well as other information.) For example, when architecture 90is implemented on a device operating under one of the MICROSOFT WINDOWSoperating systems, local store 98 may simply be a directory called“C:\MyLibrary.” Browser 102 is a typical browsing program (such as theMICROSOFT INTERNET EXPLORER browser or the NETSCAPE NAVIGATOR browser);it is used to contact retail sites that sell eBooks and to engage intransactions with those sites. In some cases, reader 92 may have an“integrated bookstore” feature that contacts retail sites andfacilitates shopping without the use of a general browsing application102.

Referring now to FIG. 3, there is illustrated a second exemplary clientarchitecture 90′. In the second client architecture, like referencenumerals represent like elements as in the first client architecture,and the therefore the descriptions of these like elements are not berepeated below. The DRM Manager 80 is a component that exposes a set ofinternal APIs to the reader 92, which manage the authentication ofapplications requesting access to encrypted LIT files, in addition tocarrying-out decryption of content, unsealing of keys, returning of aBookplate string (e.g., the user's name for display in the case of, forexample, level 3 or level 5 titles), etc. For example, the code forreader 92 may include an interface call that is part of the API, wherethe call invokes computer-executable instructions to carry out one ofthe above-listed functions. The computer-executable instructions may beembodied in a COM object and/or a dynamic-link library (DLL) for use bythe reader 92. Different versions of the COM object and/or DLL may beprovided to accommodate updates to technologies (i.e., to allow reader92 to work transparently, though a constant API, with various differentDRM technologies, some of which may not even have been developed at thetime that the code for reader 92 was created.) In one example, thedeveloper/administrator of architecture 90′ may provide a specificationor description of interface (e.g., a set of method names/labels for theAPI) to the developer of the reader 92, and may then provide a DLL orCOM object (or successive DLLs and COM objects) to the users of clientarchitecture 90′. In another example, the developer/administrator ofarchitecture 90′ may be the same entity who provides reader 92, and maydefine an API for DRM manager 80 to facilitate communication with thevarious components of architecture 90′.

The secure repository 82 is an executable that is downloaded during theActivation process and enables the Reader to open Fully Individualized(Level 5) eBooks (LIT files). The secure repository 82 is preferablyunique (or substantially unique) for each computing device on whicharchitecture 90′ is implemented (e.g., a PC or purpose-built readingdevice). Secure repository 82 holds a private key that is required foropening Level 5 protected titles. Secure repository 82 may be obtainedduring the activation process (described below). In one example, thecomputing device on which architecture 90′ resides uploads (via anetwork, such as network 52) a hardware ID to a “secure repositoryserver” (not shown), where the hardware ID is based on hardwareassociated with the computing device (e.g., by serial numbers or othernumbers associated with that hardware) and uniquely identifies thedevice. The “secure repository server” may then download to thecomputing device a secure repository whose code is based on, and whoseproper execution is preferably tied to, the computing device on whicharchitecture 90′ is implemented, where the secure repository performsfunctions including applying a unique private key that is used in theprocess of unsealing the content key, as well as decrypting the content.In an exemplary embodiment, the content in a level 5 title is encryptedwith a symmetric key, the symmetric key is encrypted with a public keycontained in an activation certificate, the encrypted symmetric key issealed with the title, and the activation certificate's private key iscontained in the activation certificate in a form encrypted by thepublic key of secure repository 82. In this example, secure repository82 decrypts the activation certificate's private key using the privatekey of secure repository 82, and then the activation certificate'sprivate key is used to decrypt the symmetric key. A system and methodfor creating secure repository 82 , filed concurrently herewith andexpressly incorporated by reference in its entirety.

The activation ACTIVEX control 84 is a component used by the clientcomputing device during the activation process (see below). Preferably,ACTIVEX control 84 is used by a browser (e.g., a MICROSOFT INTERNETEXPLORER browser), which, in turn, is hosted by reader 92 (althoughACTIVEX control 84 could also work with a stand-alone browser.) Theactivation ACTIVEX control 84 exposes methods that provide for thevalidation of servers (e.g., the “activation server(s)”) to which reader92 (or the computing device on which it resides) is connected,computation of the hardware ID, downloading of secure repository 82 (andassociated activation certificates), and authentication and installationof the downloaded executable. For example, reader 92 (or anothersoftware component) may contain instructions to detect whether reader 92has been activated and, if it has not been activated, may issue one ormore instructions to activation ACTIVEX control 84 to perform theactivation, and those instructions may include instructions to performthe acts listed above.

The web commerce object 86 is distributed as both an ACTIVEX control anda NETSCAPE NAVIGATOR® plug-in. It may be used, via client-sidescripting, by retailers when selling fully individualized copies (i.e.,Level 5 protected copies). This COM object 86 is preferably wrapped byclient side script functions, which abstract the actual methods andunderlying differences between the plug-in and the ACTIVEX control. Thekey methods provided by the web commerce object 86 and its accompanyinginterface are: detection of the installation of reader 92, detection ofactivation status, launching of the reader into the activation process(see, FIG. 5), retrieval of encrypted PASSPORT ID with which the readerwas activated, and retrieval of a (preferably encrypted) activationcertificate during download of fully individualized copies (Level 5protected). For example, a script (such as a Java script) may bedistributed to retailers of eBooks for inclusion in the retailer's webpages. The script may expose function calls that implement theabove-listed methods, and the script may include code to determinewhether it is being executed by a MICROSOFT INTERNET EXPLORER browser ora NETSCAPE NAVIGATOR browser, where it uses the ACTIVEX control in thefirst case, and the plug-in in the second case. A retailer mayeffectively transmit instructions to be performed on the clientcomputing device by transmitting the script that defines the functioncalls along with script instructions that invoke the functions. Forexample, a retailer may wish to detect whether reader 92 is installed ona client's computing device, so the retailer may transmit to the clientdevice a web page containing the Java script that defines the functionof detecting whether reader 92 is installed, along with an instructionto invoke that function. The detecting function itself may include codeto perform the detecting function of either the ACTIVEX control or theplug-in depending on the brand of browser the script is executing on. Inthis way, the particular browser is transparent to the retailer, who maycreate a single web page that performs any of the above-listed functionson either browser.

eBook File Structure

Referring now to FIG. 4, an exemplary eBook (or “LIT”) file structure isshown. The eBook 10 contains content 16, which is text such as a book(or any electronic content, such as audio, video, etc.) that has beenencrypted by a key (the “content key”), which itself has been encryptedand/or sealed. In a preferred embodiment, the key is a symmetric key 14Athat is sealed with a cryptographic hash of meta-data 12 or, in the caseof level 5 titles, with the public key of the user's activationcertificate. This key is stored either as a separate stream in asub-storage section of the eBook file (stream 14A of DRM Storage 14 inFIG. 4) or, in the case of level 5 titles, in the license. (In the caseof level 5 titles, instead of storing the content key as a separatestream, stream 14A contains a license, which is a construct that definesthe rights that the user can exercise upon purchase of the title. Intitles that have a license, the content key is contained within thelicense.) Also included in the DRM storage 14 are the source stream 14B,which may include the name of the publisher (or other content source),as well as the bookplate stream 14C, which, for individually sealed(level 3 and/or level 5) titles, includes the consumer's name asprovided by the retailer (which may, for example, be obtained as part ofthe commercial transaction of purchasing an eBook 10, such as from theconsumer's credit card information). The method of calculating thecryptographic hash that encrypts and/or seals the symmetric key 14C (orthe method of using such cryptographic hash to seal the key) ispreferably a “secret” known only to trusted content preparation toolsand trusted rendering applications. Using a hash in this way maycomplicate/discourage tampering with the meta-data 12 contained with theeBook 10. It is noted that any method may be used to “seal” an eBook, solong as such method provide some measure of tamper resistance to theeBook 10.

In accordance with the present invention, the meta-data 12 may include acopyright tag, which describes the rights granted to the user orpurchaser by the content source (e.g., the publisher). Whenever such tagis present, reader 92 may display to a user the text included in thetag, for example when the user taps on the name displayed on cover page100 (shown in FIGS. 2 and 3) in the case of individually sealed copies,or on the “Copyright Notice” link (in the case of source sealed copieswith a copyright tag), which may also be rendered on cover page 100. Ifthe copyright tag is not included in meta-data 12 by the content source,but the eBook title has been individually sealed (Level 3), the readingapplication based on the disclosed system (e.g., reader 92) may render ageneric copyright notice such as the following message, or a similarmessage: “No part of this electronic publication may be reproduced,re-distributed, or re-transmitted in any form or by any means,electronic, mechanical, printing, photo-copying, recording, or by anyinformation storage and retrieval system, without written consent fromthe publisher.” It will be appreciated that the act of displaying acopyright notice serves to deter typical users from attempting to copytheir eBooks, and such a notice may be displayed at any point during theviewing of an eBook when it is deemed advantageous to remind users thatthey are viewing proprietary material.

Activating a Reader

As noted above, activation enables a reader client for purchase,download, and viewing of fully individualized (i.e., level 5) eBooktitles. Because computers running one of the MICROSOFT WINDOWS®operating system (or other general-purpose operating systems) areessentially open platforms where anyone can debug a running process andcreate “patches” (software modification modules) for hacking thesecurity of any application, the need to establish a security frameworkaround the Reader Client is a pre-requisite for providing true copyprotection/resistance. “Activation” is the process by which thisframework is established for reader 92.

It is preferable that the activation process be performed using a“namespace authority,” such as MICROSOFT® PASSPORT™, as the activationdatabase. The use of PASSPORT™ advantageously allows the linking of theuser's activation certificate to his/her persona. As used herein, a“persona” is a unique identifier that can be tied to a user and can besecurely authenticated by an out-of-band process—e.g., a username andpassword form on a web browser for use over a secure socket layer (SSL)is an example embodiment of such an process. Using a “persona” schema,an individual may read purchased titles on any reader that has beenactivated using the “persona” under which the title was purchased. Also,once activated, the activation information may be made available tomultiple merchants in order to eliminate the need for server-to-servercommunications between the merchants and the activation authority, whilemitigating privacy concerns.

The process by which a Reader is activated will now be described. Once auser purchases a purpose-built eBooks reading device, or obtains readersoftware for a PC (e.g., via CD-ROM 31, or download via a wide-areanetwork 52 such as the Internet), the user is encouraged to activate thereader the first time the reader is launched (e.g., immediately afterSetup for the Laptop/Desktop application). For example, each time thereader is launched, it may check to see whether it has been activated(or another software object may check whether the reader has beenactivated). If the reader has not been activated, the reader will rendera dialog box reminding the user he or she will not be able to acquirepremium titles that require full individualization (i.e., level 5protection). An example of such a reminder is:

Congratulations on installing the Microsoft® Reader. In order to enableyour Reader for purchase and download of premium titles that have beensecured for distribution, you'll need to Activate it online.

The dialog may include buttons to allow the user to activate the reader92 (e.g., the dialog box may display two buttons marked “Activate Readernow” and “Activate Reader later”). A “checkbox” may be included in thedialog box with a message such as “Please don't show me this message inthe future,” which the user would check if he or she has no interest inacquiring level 5 titles, so that the reader would cease displaying theactivation message upon launch. If the Reader has been previouslyactivated, the PASSPORT ID or persona ID of the last user that activatedthe reader will be rendered as well as in a “splash screen,” such as“Activated for <persona>.” User may also activate the reader from anyretail web site, while shopping with a stand-alone browser. In thisscenario, merchants may leverage a method exposed by the Reader WebCommerce object 86 and associated script wrapper API to render a linkand/or button that launches reader 92 as a separate process. Forexample, a merchant may include in a web page a script function thatlaunches reader 92 into its activation feature, which then guides theuser through the activation steps, just as if the user had started thereader and launched the activation feature on his own. (As noted above,the script function may perform the launch either using an ACTIVEXcontrol or a plug-in according to what type of browser it is runningon.) The merchant may also include in a web page an instruction (usingthe web commerce object 86 and associated script wrapper) to firstdetect whether reader 92 is activated, and launch the activation processonly if reader 92 has not been previously activated. In anotherscenario, reader 92 may be using an “integrated bookstore” feature ofthe reader (e.g., a feature that allows the user to shop various websites that sell eBooks without using a browser), and the activationprocess may be launchable from (or part of) the “integrated bookstore”feature of reader 92.

Assuming the user has decided to activate the reader 92, the activationprocess may include the steps illustrated in FIG. 5. At step 150, thereader client opens into the “integrated bookstore” section andconnects, via Secure Sockets Layer (SSL), to the activation servers,where users are prompted to login using their PASSPORT™ credentials(step 152). If the user does not have a PASSPORT™ account, he/she willbe provided with at link to sign-up for one (step 154). It is preferablethat the URL to the Activation Server be hard-coded into an ActivationACTIVEX control 84 using a SSL connection such that the client canguarantee that the servers are truly the activation servers.

Once user is authenticated with PASSPORT™ (step 156), a PASSPORT™ API isqueried for the user alias and e-mail address (step 158). Thereafter, atsteps 160–162, the Activation Servers will request that the client (viathe ACTIVEX control) upload a unique hardware ID (which, as noted above,may be derived from hardware components on the user's computing devicewhich substantially uniquely identify the user's computing device).Next, it is determined whether this is a first activation for reader 92(step 164). (In some circumstances, readers may be activated more thanonce with different PASSPORT IDs; if, reader 92 has been activated withanother PASSPORT ID, then a warning is displayed, as depicted at step166.)

If it is determined that this is a new activation at step 164, then itis determined whether the user has activated more than five readers inthe past 90 days. If so, then an error message is rendered at step 172including a support telephone number, and the process terminates at step198. As noted above, the limitation of activating no more than fivereaders in the past 90 days is merely exemplary. Limiting activation ofreaders by time and number helps to prevent wide dissemination of alevel 5 eBook title for viewing on thousands (or millions) of readersthroughout the world. The “five readers in ninety days” limitation inthe example of FIG. 5 is merely exemplary, however, as other limitationson activation may be imposed without departing from the spirit and scopeof the invention. For example, the activation limitation depicted inFIG. 5 could be extended by allowing additional activations once apredetermined period of time elapses, e.g., one additional activationafter a subsequent 90 day period elapses up to a limit of 10 totalactivations.

If the user has not activated more than five readers within the first 90days (or is not otherwise precluded from activating reader 92), anactivation page is rendered (step 170) for the user to fill out. If theuser transmits the form in an incomplete format (detected at step 174),the page may be re-rendered until the user completes the form. Next, atstep 176, it is determined if the present activation is a recovery(i.e., an attempt to “reactive” a reader that has been previouslyactivated but become unusable or disabled for some reason). If thepresent activation is not a recovery, then a new record is created forthe user and reader and the number of readers associated with the useris incremented (step 180). A pre-generated secure repository key pair isretrieved from a database (step 182) and activation certificates arealso generated (step 184). (As discussed above, the activationcertificate may include a public/private key pair whose private key hasbeen encrypted with the public key of the secure repository key pair.)The activation keys, User ID, and Machine ID are persisted in a database(not shown) at step 186. Preferably, the secure repository keys are notpersisted, and any new secure repository that needs to be created anddelivered in the future would have a new key pair (and the activationcertificate delivered with that new secure repository may contain thepersisted activation key pair, but with the private key encrypted to the(new) public key of the (new) secure repository).

If, at step 176, it is determined that this activation is a recovery,then an activation certificate is generated (step 178) using the storedpublic/private key pair from a prior activation (the public/private keypair being retrieved from the database in which it was persisted at step186), and processing continues at step 188.

At step 188, the activation server(s) generate a secure repositoryexecutable 82. Preferably, the secure repository executable 82 isdigitally signed, and based on and/or bound to a machine ID. Theactivation server(s) also generate an activation certificate, which ispreferably tied to the user's persona through his/her PASSPORT™ ID). Thesecure repository executable 82 and activation certificate are thendownloaded to the client (steps 188 and 190). The activation certificateis encrypted during download (e.g., to protect any information containedin the certificate that relates to the persona to which it is tied). Theactivation certificate is later uploaded to a “download” or“fulfillment” server during the eBook acquisition process describedbelow in connection with FIG. 6 (i.e., as part of the process ofacquiring a level 5 title). The user's PASSPORT™ ID is encrypted andstamped in the PC Registry as part of this download (when reader 92 isinstalled on a computing device that has a registry), for upload duringcommercial transactions. The PASSPORT™ ID is stored separately from theactivation certificate (even though it may be included in the activationcertificate) so that the stored PASSPORT ID may be compared with thePASSPORT ID in the activation certificate during the acquisition of alevel 5 title, thereby helping to prevent theft of content.

At step 192 it is determined whether the download of secure repository82 and the activation certificate has succeeded. If not, an event islogged and the download is attempted again (steps 194 and 192). If thedownload was successful, then at step 196, the user may be provided witha page that “congratulates” him/her on activating reader 92 andinforming him/her that the activation process is complete. In oneexample, the page may include links where the user may obtain“promotional” or “free” eBooks. This link will change depending on thepromotion (i.e., the server may download a different page with differentlinks if the “promotion” changes). This link may also leverage a methodexposed by the Activation ACTIVEX Control 84 to return the user to thelibrary page on the reader. The process then terminates at step 198.

eCommerce Process Flow

Referring now to FIG. 6, an overview of the basic process by which eBooktitles are acquired and delivered online is described. It is noted thatthe reader of the present invention is adapted to interact and operatewithin a server environment. Such an exemplary server environment isdescribed in, filed concurrently herewith, which is expresslyincorporated by reference herein in its entirety.

Using a browser or the “integrated bookstore” feature of reader 92, theuser visits a retail site and chooses book(s) in a manner implemented bythe retailer (step 200). For example, the site may provide a web pagethat displays (as links) various books that the user may wish topurchase. The user then pays for the titles (step 202), such as bysubmitting a credit card number (or by referencing a stored credit cardnumber if the user has an account with the site; in one usage, theuser's PASSPORT ID may reference such a number or account). Thetransaction concludes at step 204 with a receipt page. The receipt pagemay contain information “confirming” the order or thanking the user forhis/her order, and also contains links (HTTP POST requests) fordownloading each title purchased. For fully individualized titles (level5), a client-side script populates the body of the POST with theactivation certificate, via web commerce object 86. (E.g., web commerceobject 86 is used to retrieve the activation certificate for provisionto the retailer's site.) In one example, the activation certificate maybe provided to the retailer web site, which then creates an HTTP request(i.e., a POST request) which includes an encrypted blob (i.e., in thebody of the POST). The HTTP request (including the encrypted blob) isthen rendered as a link at the client site, where the client clicks thelink to download the purchased title (as described below). In thisexample scenario, the HTTP request and encrypted blob (which aregenerated by the retailer, who, preferably, is in privy with thefulfillment site) contains information that identifies the particulareBook to be provided to the purchaser, as well as information thatdemonstrates to the fulfillment site that the encrypted blob wasgenerated by a retailer for whom the fulfillment site has agreed tofulfill eBook orders. Additionally, in the case of the purchase of level5 titles, client side software adds the activation certificate to thebody of the POST to allow the symmetric key of the eBook to be encryptedfor use with readers activated to the user's persona.

Upon clicking on any of the links at step 206, the browser initiates adownload from a download or “fulfillment” server specified in thereceipt page. For individually sealed (“inscribed”) copies, the downloadserver adds the consumer's name (or other identifying information asdetermined by the retail site, such as the user's credit card number, atransaction ID, etc.) to the title meta-data and re-seals the symmetrickey using the new cryptographic hash resulting from the new meta-data,which now includes such identifying information. (The particularinformation to be included is determined by the retailer and provided aspart of the encrypted blob in the body of the POST.) For fullyindividualized copies (level 5) a license is generated and embedded inthe LIT file, in addition to the bookplate being created. This licensecontains the symmetric key that encrypted the LIT file “sealed” with thepublic key in the activation certificate. When the download is complete(step 208), the download server logs the transaction and, on the client,the reader 92 may be launched automatically (step 210). The title may,at this time, be moved into local store/LIT store 98, or another folderor directory designated for the storage of eBook titles. Upon launch ofthe reader 92, the eBook may be opened to its cover page 100.

In accordance with the present invention, from an end-user'sperspective, there may be no perceptible difference between a level 3and a level 5 protected title. Both include a bookplate (e.g., inclusionof the user's name on the cover page 100). Users may only notice thedifference if they try to move a level 5 eBook to an installation wherethe reader 92 has not been activated for the persona that purchased theeBook. In this case, a level 5 title will not open on such a reader 92,whereas a level 3 title will open.

DRM System Client Usage Scenarios

The DRM system architecture is driven by several scenarios thatconsumers of eBooks are expected to encounter. Exemplary scenarios areexplained below. Such scenarios include buying a book on impulse,reading a book on multiple readers 92, activating a reader 92, andrecovering a lost or damaged title. The scenarios have variationsaccording to the level of copy protection chosen by the publicationprovider. The variations impact the user because they determine in somecases what the user must do in order to acquire and open a title on oneor more readers 92.

Buying a Book on Impulse and Reading

When a consumer browses a retailer's web site using a web browser or a“bookstore” feature inside reader application 92, he or she may selectbooks to be purchased (e.g., build a “shopping cart”), and proceed tocheckout in accordance with the rules and/or procedures of the retailsite. Depending on the level of protection associated with the selectedtitles (which may, for example, be determined by the retail site, or thecontent owner on whose behalf the retail site distributes the eBook),the retail site may request information which uniquely identifies thecustomer. (E.g., if the title is protected at level 3, the retaileracquires the user's name from a (preferably) trusted source forinclusion in the meta-data, so that a user could not purchase a titleunder a false name and escape detection if the title is illicitlydistributed. In this scenario, other information from which thepurchaser can be traced, such as the user's credit card number, atransaction ID, etc., could be used to serve the same purpose) If thetitle is protected at level 5, the retail site will also need theactivation certificate (preferably obtained by use of web commerceobject 86 an its associated script wrapper) in order to properly encryptthe content key. If the customer/browser is not able to provide therequired information to complete the transaction, the retail site maythen provide the customer with the steps that are required (e.g., in theform of a web page that explains the steps and how they may beaccomplished and/or provides hyperlinks to be followed). Upon completingthe transaction, it is preferable that the customer receive a receipt toconfirm transaction (i.e., an order confirmation page) or receiveinformational errors reporting issues with processing their transactionin accordance with the retail site's rules and policies. Next, thepurchaser follows download instructions embedded in the receipt for thebooks they purchased, according to the rules and policies set forth byretail site. (E.g., the receipt may contain a hyperlink to be clicked bythe user in order to begin the download of an eBook.) After the eBookhas been downloaded, it may be opened for reading by reader 92.

Reading a Book on Multiple Readers

Consumers will expect to be able to read titles on more than one readingplatform, e.g., a desktop PC, laptop, palmtop or an eBook device. TheDRM System of the present invention provides for such usage. As part ofthe DRM system, publishers, distributors and merchants may be holders ofsymmetric keys that are used to encrypt eBooks titles. Preferably, onekey is used per title or SKU/ISBN/EAN. The symmetric key is required toopen the title and is embedded in the license/DRM stream during thepurchase. The process of encrypting and later embedding the symmetrickey will be referred to herein as “sealing.” It is noted that thesymmetric key may be encrypted using a public key associated with theconsumer's activation certificate key-pair, or, in the case of sourceand individually sealed copies, may be encrypted with a cryptographichash of the meta-data.

In order to read the encrypted title on multiple readers 92, eachinstance of the reader 92 needs to be able to access the symmetric key14A embedded in the title's License/DRM stream. In the case of protectedtitles that are not fully individualized to a person (e.g., titles atlevels 2, 3, or 4), accessing symmetric key 14A is accomplished by using(e.g., hashing) the title's meta-data to unseal, and possibly decrypt,the symmetric key 14A, which is preferably done by DRM manager 80. Inthis scenario, the merchant/distributor of the title encrypts thesymmetric key 14A with a cryptographic hash, which is programmaticallygenerated from a hash of the title's meta-data (which may include therightful owner's name, for example, in the case of level 3 titles).Reader 92 and/or DRM Manager 80 then uses the same hash algorithm tounseal the symmetric key. Users that tamper with the contents of thetitle's meta-data will no longer be able to read the eBook title, sincereader software will not be able to decrypt/unseal the symmetric key14A, because the new meta-data would result in a different hash.

In the case of fully-individualized (level 5) titles, the symmetric key14A is encrypted with the public key of the user's activationcertificate and inserted into the license, where the license is insertedinto DRM storage 14 in stream 14A (see FIG. 4) prior to download. Asdiscussed above, each reader 92 activated to a particular persona has anactivation certificate containing the public/private key pair associatedwith the persona. Thus, a title may be read on any reader 92 that hasbeen activated to a particular persona. As discussed above, theactivation certificate is obtained during the activation process. Theaforementioned “license,” as further discussed below, is a constructthat defines the rights that the consumer can exercise upon purchase ofthe content and, where it is present, it also contains the content key(i.e., the symmetric key).

Client architecture 90′ decrypts the encrypted symmetric key containedin the license of a level 5 title by applying the private key from theactivation certificate, where the activation certificate private key isstored in encrypted form and is obtained by using secure repository 82to apply its public key to the encrypted private key, as discussedabove. Beyond ensuring that a reader 92 has been activated using thecredentials (i.e., persona) for which a level 5 title was prepared, noother action is required to permit a user to read a title on multiplereaders 92. Moreover, even in the case of level 5 titles, the act ofensuring that the reader is activated to the correct persona takes placeimplicitly—that is, if the reader 92 has not been activated to theperson with which a level 5 title is associated, then the reader 92 willnot have access to the activation certificate (and its private key) thatallows the reader to access symmetric key 14A needed to decrypt contentsteam 16. All the level 5 titles purchased for a reader 92 have theircontent keys encrypted to the public key included in the activationcertificate associated with the reader/persona. When the user installsor purchases another reader 92, the user only needs to activate the newreader with the same persona to receive the same activation certificate(or, more precisely, an equivalent activation certificate with the samepublic/private key pair, whose private key, as discussed above, isencrypted with the public key of the secure repository resident on thenew reading device/installation).

Yet another alternative for obtaining symmetric key 14A exists from anOpenCard. OpenCards each contain a key or key pair to which titles aresealed. When the user wishes to read the same titles on a differentreader 92, the reader 92 must be installed on a device having anOpenCard slot. Accordingly, when the user inserts the OpenCard in thedevice, the titles are automatically available for reading. Thus, nospecial steps are required when users want to read OpenCard-based titleson multiple readers 92, since, in effect, the title is bound to the cardrather than to a particular activation certificate and/or persona.

Upgrading or Replacing the Reader

If a user loses, replaces or upgrades his/her reader, it is importantthat the user be able to read previously-purchased titles (e.g., level 5titles) on the new Reader. According to an aspect of the invention,enabling users to read previously purchased content on new readers 92 isperformed using the same mechanisms that allow them to read on multiplereaders 92: the new reader 92 acquires the required activationcertificate (i.e., an activation certificate with the key pair containedin previous activation certificates issued to the user's persona).

Enforcing a limit on the number of activations of readers 92 in themanner described above simplifies the upgrade/replacement process. Aslong as the user has not exceeded the applicable limit on activations,he can activate a new/upgraded/replacement reader 92 just as if he wereactivating another one of several readers owned by that user. A user may“cancel” an activation of an old reader by deleting the activationcertificate, but doing so does not necessarily increase the number ofavailable activations for a particular persona, since the activationauthority (e.g., the activation servers that users contact to obtainactivation certificates and secure repositories 82), does notnecessarily have any way to verify that the activation certificate hasbeen deleted, or has not been backed up in a recoverable manner.Therefore, in one embodiment of the invention, deleting the activationcertificate does not “reset” the ambient limitation on new activationsfor a particular persona.

Recovering a Lost or Damaged Title

A user may backup titles, for example, by copying eBook file 10 toremovable magnetic disk 29, optical disk 31, or a removable,non-volatile memory card. If the titles ever become lost or damaged onthe primary storage of a particular reading device, the titles can berestored from backup storage. However, in the case where titles are, forsome reason, not backed up, it may be possible to recover any titleslost or damaged from the retailer. For example, the user may keep thereceipt page from a title purchase (i.e., the page that contains thedownload links), and simply “re-visit” the link to connect to a downloadserver to obtain a new copy of the eBook (“LIT”) file 10 that embodiesthe title. Users can keep their receipts locally or alternatively, theretail store may chose to offer customers the service of storing theirreceipts on retailer's server.

In a preferred embodiment of the invention, however, receipts have anexpiration time/date (e.g., the encrypted blob associated with the linkthat is clicked to contact the download server may have an expirationtime/date incorporated within it), such that clicking a download linkmore that a predetermined amount of time after it was issued (e.g., onehour) will cause the download server to refuse to download the title. Inthis case, the retailer may have a record of the purchase and mayprovide a new copy of the receipt/download link. In order to recover alost or damaged eBook title, the user will have to connect to themerchant from which the eBook title was purchased. After the user isidentified, the merchant site will present the user with a list ofreceipts from which the user will choose the appropriate one. The usermay then locate the title they wish to recover, and click on the linkprovided for download. Barring any restrictive policies from themerchant site, the user should be able to re-download the eBook titlethey lost. It is generally not necessary for the merchant to restrictre-downloading of titles, since the user was always free to copy thetitle from machine to machine (subject, of course, to the condition thatlevel 5 titles do not work on readers activated for a persona other thanthe persona that purchased the title), and thus restricting there-downloading of titles provides no additional copy protection. Itshould be observed, however, that the decision to provide free“re-downloading” privileges is within the discretion of the merchant,since the merchant may view the re-downloading as a service for whichthe merchant desires to collect a fee.

Supporting Multiple Activated Readers on the Same PC

It is preferable that the reader for laptop and desktop PCs be designedto support multiple users sharing the same computer. So long as theusers have different local accounts on the PC they share, the reader maystore all user-specific data on the appropriate user data-space, keyedoff of their respective profiles and “current user” registry values. Forexample, eBook files 10 may be stored, for each user, in a directorylogically contained within the top-level directory for that user'sprofile. In the case of the activation process, the process may ensurethat the reader 92 being activated and the components being downloaded(e.g., secure repository 82 and the activation certificate) are tied tothe current user (e.g., the currently logged-in user on a workstationrunning the MICROSOFT WINDOWS NT operating system).

Additionally, once the reader is activated, it may display the PASSPORT™name for the user for whom it was activated, for example on a splashscreen and a quick settings page. On the quick settings page, thePASSPORT™ name for the user that last activated the reader will be shownimmediately above the activation link. This allows for proper handlingby the client-side web commerce object 86 of the activation certificateand encrypted PASSPORT™ ID upload, during the shopping process for fullyindividualized titles (level 5 protected).

The process by which multiple users can activate the same reader 92 onan exemplary shared system is as follows. The Reader will check whetherit has been Activated during startup. This check is performed bychecking for an ActivationComplete RegKey, underHKEY_CURRENT_USER\Software\Microsoft\eBook\. Because this RegKey iswritten to the HKCU branch, it ensures that it will be user-specific andtied to the currently logged on username on the computer. If this RegKeyis not found or is not set to 1 (i.e., a successful activation has takenplace) the user follows the steps to activate the reader, as discussedabove. After the download is complete, the activation ACTIVEX control 84queries the operating system for the username for the currently loggedon user on the PC. If no username is returned, it will assume“DefaultUser” as the username.

The ACTIVEX control 84 then queries the registry to find out where thereader was installed. It then creates a directory under the MS Readerinstallation directory that will be named: .\<username>\SecureRepository(<username>as determined by the operating system query). Once thedirectory is created, the ACTIVEX control 84 populates theHKCU\..\eBook\SecureRepository key, with the full path to thatdirectory. In that directory, the ACTIVEX control 84 installs securerepository 82 and the activation certificate. It then executes securerepository 82 with the “-install” parameter for self-registration ofsecure repository 82. Assuming all of the above steps succeeded, theACTIVEX control 84 stamps the ActivationComplete RegKey.

License Format

Below is an exemplary license, which is used for every download of fullyindividualized titles. The license is a construct that defines therights that the user can exercise upon purchase of the title, inaddition to defining the requirements for unsealing the symmetric key toexercise those rights. Examples of “rights” that could be represented inthe license are rendering the content (e.g., in the example of textcontent, reading it on the monitor of a PC), printing the content, orcopying-and-pasting portions of the content. It is noted that theexemplary license format is not intended to limit the scope of thepresent invention as other license formats having greater or lesserinformation are possible.

It is preferable that language chosen to represent a license is XML, andthe format of the license is based on the Extended Rights MarkupLanguage (XrML) Specification. This is a well-suited markup language todescribe usage rights in a flexible manner. XrML also provides for greatinteroperability and will allow for any technology investments made oncomponents that generate and manage these licenses to be leveragedlong-term. In a preferred embodiment, only those expressed in thelicense are granted to the license—i.e., if a right is not expresslygranted, it is denied. However, it will be appreciated by those skilledin the art that other arrangements are possible, such as where a defaultset of rights is presumed unless expressly denied or modified by thelicense.

The top-level tags in a collapsed format are as follows:

<?xml version=“1.0” ?> <!DOCTYPE XrML SYSTEM “xrml.dtd”> - <XrML>  -<BODY type=“LICENSE” version=“2.0”> <ISSUED>2000-01-27T15:30</ISSUED> +<DESCRIPTOR> - <!-- ==============================--> - <!-- LicensedBook -  -> - <!-- ==============================--> + <WORK> ==================================   ==   Components of the book   Onechapter, and one image with digest value ====================================   == ====================================   ==      Usage rights of the book ====================================   == - <!--==============================--> - <!-- Licensor of the book  --> -<!-- ==============================--> + <LICENSOR> - <!--==============================--> - <!-- Licensees of the book -  -> -<!-- ==============================--> + <LICENSEDPRINCIPALS> </BODY> -<!-- ==============================--> - <!-- Signature of the LicenseBody --> - <!-- ==============================--> + <SIGNATURE> </XrML>

The first line of the XrML structure above defines the version of theXML language used to create the XrML license. The second line specifiesthe name of the DTD file used to parse the XML file. The BODY tagprovides the type of license, the version of the XrML specification usedwhen the license was generated, and the date when it was issued. It isalso the meta-tag for the whole license, which has the followingsub-sections: WORK, LICENSOR, LICENSEDPRINCIPALS, and SIGNTURE. WORKcontains all the semantic information about the license, including theusage RIGHTS. The contents of this field (including the tags) constitutethe data that is hashed and signed. LICENSOR contains informationpertaining the entity that issued the license, usually a Retailer.LICENSEDPRINCIPALS contains a series of principals that must beauthenticated when exercising the usage rights specified in a license.SIGNATURE contains the hash/digest of the LICENSEBODY as well asinformation about how the hash was created, including the algorithmused. It also includes the DIGEST encoded in accordance with thealgorithm named by the licensor when issuing the license. The DIGEST andSIGNATURE tags provide the authentication information used to validatethe entire license in a way that cannot be tampered with.

Structure of the BODY Tag

The main tag of an XrML license construct is the BODY tag, whichcontains the following tags:

− <BODY type=“LICENSE” version=“2.0”> <ISSUED>2000-01-27T15:30</ISSUED>− <DESCRIPTOR> − <OBJECT type=“self-proving-EUL”> <IDtype=“MS−GUID”>7BD394EA−C841−434d−A33F− 5456D5E2AAAE</ID> </OBJECT></DESCRIPTOR> − <!−− ========================================== −−> −<!−− Licensed Book −−> − <!−− ==========================================−−> − <WORK> − <OBJECT type=“BOOK−LIT−FORMAT”> <IDtype=“ISBN”>8374−39384−38472</ID> <NAME>A book of James</NAME> </OBJECT><CREATOR type=“author”>James the first</CREATOR><CREATOR   type=“author”>James   the second</CREATOR> − <OWNER> −<OBJECT type=“Person”> <ID type=“US−SSN”>103−74−8843</ID> <NAME>Mike theman</NAME> <ADDRESS type=“email”>mike@man.com</ADDRESS> </OBJECT> −<PUBLICKEY> <ALGORITHM>RSA−512</ALGORITHM> − <PARAMETER name=“publicexponent”> <VALUE encoding=“integer32”>65537</VALUE> </PARAMETER> −<PARAMETER name=“modulus”> <VALUE encoding=“base64”size=“512”>u+aEb/WqgyO+aDjgYLxwrk tqFDR4HZeIeR1g+G5vmKNZRt9FH4ouePWz/AJYnn2NdxoJ6mcIIAQVe6Droj2fxA= =</VALUE> </PARAMETER> </PUBLICKEY></OWNER> − <!−− ========================================−−> − <!−−Components of the book −−> − <!−− One chapter, and one image with digestvalue −−> − <!−− ========================================−−> − <PARTS> −<WORK> − <OBJECT type=“Chapter”> <ID type=“relative”>0</ID><NAME>Chapter 1</NAME> </OBJECT> </WORK> − <WORK> − <OBJECTtype=“Image”> <ID type=“relative”>1</ID><NAME>Image 1: Photon Celebshots Dogs</NAME> </OBJECT> − <DIGESTsourcedata=“LicensorMeta”> <ALGORITHM>SHA1</ALGORITHM> − <PARAMETERname=“codingtype”> <VALUE encoding=“string”>surface− coding</VALUE></PARAMETER> <VALUE encoding=“base64” size=“160”>OtSrhD5GrzxMeFEm8q4pQlCKWHI=</VALUE> </DIGEST> </WORK> </PARTS> − <!−−=======================================−−> − <!−− Usage rights of thebook −−> − <!−− =======================================−−> −<RIGHTSGROUP name=“Main Rights”> <DESCRIPTION>Some desc</DESCRIPTION> −<BUNDLE> − <TIME> <FROM time=“2000−01−27T15:30″ /> <UNTILtime=“2000−01−27T15:30″ /> </TIME> − <ACCESS> − <PRINCIPAL sequence=“2”>− <ENABLINGBITS type=“sealed−des− key”> <VALUE encoding=“base64”size=“512”>lnHtn/t2dp3u+ZqL kbd7MK0K4xR4YdSXaEvuk2Loh9ZRJEcPzCw+xM7zbPrJb6ESj70 +B2fWTcxxDD+6WUB/Lw= =</ VALUE></ENABLINGBITS> </PRINCIPAL> </ACCESS> </BUNDLE> − <RIGHTSLIST> − <VIEW>− <ACCESS> − <PRINCIPAL sequence=“2”> − <ENABLINGBITS type=“sealed−des−key”> <VALUE encoding=“base64” size=“512”>lnHtn/t2dp3u+ZqLkbd7MK0K4xR4YdSX aEvuk2Loh9ZRJEcPzCw+x M7zbPrJb6ESj70+B2fWTcxxDD+6WUB/Lw= =</VALU E> </ENABLINGBITS> </PRINCIPAL> <PRINCIPALsequence=“3” /> </ACCESS> − <ACCESS> − <PRINCIPAL type=“licensor”> −<ENABLINGBITS type=“sealed− des−key”> <VALUE encoding=“base64”size=“512”>lnHtn/t2dp3u +ZqLkbd7MK0K4xR4YdSX aEvuk2Loh9ZRJEcPzCw+xM7zbPrJb6ESj70+B2fWTcx xDD+6WUB/Lw= =</VALU E> </ENABLINGBITS></PRINCIPAL> </ACCESS> </VIEW> − <PRINT maxcount=“5”> − <FEE> −<MONETARY> − <PERUSE value=“5.00”> <CURRENCY iso−code=“USD” /> </PERUSE>− <ACCOUNT> <ACCOUNTFROM id=“BA− 0234−0928392” /> <HOUSE id=“XYZ”url=“http://somehouse.co m/payme.asp” /> </ACCOUNT> </MONETARY> </FEE> −<TRACK> <PROVIDERNAME>e− tracker</PROVIDERNAME> <PROVIDERID id=“US1023”type=“Tracker ID” /> − <PARAMETER name=“tracking address”> <VALUEencoding=“url”>“http://sometr ackingservice/trackme.asp”></ VALUE></PARAMETER> − <PARAMETER name=“tracking support address”> <VALUEencoding =“url”>“http://sometr ackingservice/supportme.asp”> </VALUE></PARAMETER> </TRACK> − <TERRITORY> <LOCATION country=“us” state=“CA”city=“El Segundo” postalcode=“90245” /> <LOCATION country=“jp” /></TERRITORY> </PRINT> </RIGHTSLIST> </RIGHTSGROUP> </WORK> −<!−−========================================== −−> − <!−− Licensor ofthe book −−> − <!−−========================================== −−> −<LICENSOR> − <OBJECT type=“Principal−Certificate”> <IDtype=“MS−GUID”>7BD394EA−C841−434d−A33F− 5456D5E2AAAE</ID> <NAME>Barnesand Noble</NAME> </OBJECT> − <PUBLICKEY> <ALGORITHM>RSA−512</ALGORITHM>− <PARAMETER name=“public exponent”> <VALUEencoding=“integer32”>65537</VALUE> </PARAMETER> − <PARAMETERname=“modulus”> <VALUE encoding=“base64”size=“512”>u+aEb/WqgyO+aDjgYLxwrktqFDR4HZeIeR1g+G5vmKNZRt9FH4ouePWz/AJYn n2NdxoJ6mcIIAQVe6Droj2fxA= =</VALUE></PARAMETER> </PUBLICKEY> </LICENSOR> − <!−−========================================= −−> − <!−− Licensees of thebook −−> − <!−− ========================================= −−> −<LICENSEDPRINCIPALS> − <PRINCIPAL> − <OBJECT type=“program”> <IDtype=“msprogid”>XrML.interpreter</ID> <NAME>DRPL INTERPRETER</NAME></OBJECT> − <AUTHENTICATOR type=“drm−module−verifier”> <IDtype=“microsoft− progid”>ms.drm.authenticode</ID><NAME>DRMAuthenticode</NAME> − <AUTHENTICATIONCLASS> <VERSIONSPANmin=“2.0” max=“3.4” /> <VERSION>5.0</VERSION><SECURITYLEVEL>5</SECURITYLEVEL> </AUTHENTICATIONCLASS> −<VERIFICATIONDATA type=“signature−key”> − <PUBLICKEY> <ALGORITHM>RSA−512</ALGORITHM> − <PARAMETER name=“public exponent”> <VALUEencoding=“integer32”>65537< /VALUE> </PARAMETER> − <PARAMETERname=“modulus”> <VALUE encoding=“base64” size=“512”>u+aEb/WqgyO+aDjgYLxwrktqFDR4HZeIeR1g+G5 vmKNZRt9FH4ouePWz/AJYnn2NdxoJ6mcIIAQVe6Droj2fxA= = </VALUE> </PARAMETER> </PUBLICKEY></VERIFICATIONDATA> </AUTHENTICATOR> </PRINCIPAL> − <PRINCIPAL> −<OBJECT type=“MS Ebook Device”> <ID type=“INTEL SN”>Intel PII 92840−AA9−39849−00</ID> <NAME>Johns Computer</NAME> </OBJECT> − <AUTHENTICATORtype=“drminternal−certverify− program”> <IDtype=“microsoft−progid”>2323−2324−abcd− 93a1</ID> −<AUTHENTICATIONCLASS> <VERSION>1.x−2.5</VERSION> </AUTHENTICATIONCLASS>− <VERIFICATION DATA type =“authenticode− named−root”> − <PUBLICKEY><ALGORITHM>RSA− 512</ALGORITHM> − <PARAMETER name=“public exponent”><VALUE encoding=“integer32”>65537< /VALUE> </PARAMETER> − <PARAMETERname=“modulus”> <VALUE encoding=“base64” size=“512”>u+aEb/WqgyO+aDjgYLxwrktqFDR4HZeIeR1g+G5 vmKNZRt9FH4ouePWz/AJYnn2NdxoJ6mcIIAQVe6Droj2fxA= = </VALUE> </PARAMETER> </PUBLICKEY></VERIFICATIONDATA> − <VERIFICATIONDATA> − <PARAMETER name=“bbid”><VALUE encoding=“string”>xxzzy</VALUE> </PARAMETER> − <PUBLICKEY><ALGORITHM>RSA− 512</ALGORITHM> − <PARAMETER name=“public exponent”><VALUE encoding=“integer32” >3</VAL UE> </PARAMETER> − <PARAMETERname=“modulus”> <VALUE encoding=“base64” size=“90”>33845URT203987==</VALUE> </PARAMETER> </PUBLICKEY> </VERIFICATIONDATA> </AUTHENTICATOR></PRINCIPAL> − <PRINCIPAL> − <OBJECT type=“application”> <ID type=“MSPROG− ID”>43984938476jshd</ID> <NAME>MS Book Reader 2.0</NAME> </OBJECT>− <AUTHENTICATOR type=“drminternal−digest− program”> <IDtype=“microsoft−progid”>2323−2324−abcd− 93a1</ID> −<AUTHENTICATIONCLASS> <VERSION>1.x−2.5</VERSION> </AUTHENTICATIONCLASS>− <VERIFICATIONDATA type=“authenticode− named−root”> − <DIGEST><ALGORITHM >MD5</ALGORITHM> <VALUE encoding=“base64”size=“90”>bXlwYXNzd29yZA= =</V ALUE> </DIGEST> </VERIFICATIONDATA></AUTHENTICATOR> </PRINCIPAL> </LICENSEDPRINCIPALS> </BODY>

License Authenticity

Secure repository 82 authenticates a license via the SIGNATURE andDIGEST tags. This is such that the client software can validate that thecontent being rendered came from a trusted source. A more detailedexample of these tags is provided below:

- <!-- ============================    Signature of the License Body   ============================  --> - <SIGNATURE>  - <DIGEST><ALGORITHM>SHA1</ALGORITHM> - <PARAMETER name=“codingtype”> <VALUE  encoding=“string”>surface- coding</VALUE> </PARAMETER> <VALUEencoding=“base64”  size=“160”>OtSrhD5GrzxMeFEm8q4pQICKWHI=<  /VALUE></DIGEST> <VALUE encoding=“base64” size=“512”>A7qsNTFT2roeL6eP+IDQFwjIz5XSFBV+NB F0eNa7de+1D6n+MPJa3J7ki8Dmwmuu/pBciQnJ4xGaq  RZ5AYoWRQ==</VALUE> </SIGNATURE>

It is noted that the foregoing examples have been provided merely forthe purpose of explanation and are in no way to be construed as limitingof the present invention. While the invention has been described withreference to various embodiments, it is understood that the words whichhave been used herein are words of description and illustration, ratherthan words of limitations. Further, although the invention has beendescribed herein with reference to particular means, materials andembodiments, the invention is not intended to be limited to theparticulars disclosed herein; rather, the invention extends to allfunctionally equivalent structures, methods and uses, such as are withinthe scope of the appended claims. Those skilled in the art, having thebenefit of the teachings of this specification, may effect numerousmodifications thereto and changes may be made without departing from thescope and spirit of the invention in its aspects.

1. A computing device having a computer-readable medium includingcomputer-executable instructions for performing acts comprising:validating a server; deriving an identifier associated with saidcomputing device; uploading said identifier to said server; receiving asecure repository from said server; and authenticating said securerepository, wherein said computer-readable medium further includescomputer-executable instructions for performing the acts of: installingsaid secure repository; and receiving two or more activationcertificates adapted for use with said secure repository, wherein saidtwo or more activation certificates includes: a first activationcertificate in an encrypted form; and a second activation certificate inan unencrypted form.
 2. A method of activating software installed on acomputing device, said method comprising the acts of: validating aserver; deriving an identifier associated with said computing device;uploading said identifier to said server; receiving a secure repositoryfrom said server; and authenticating said secure repository, furthercomprising the acts of: installing said secure repository; and receivingtwo or more activation certificates adapted for use with said securerepository, wherein said two or more activation certificates includes: afirst activation certificate in an encrypted form; and a secondactivation certificate in an unencrypted form.
 3. A method of enablingthe use of content items in a multi-level distribution architecture,said method comprising the acts of: rendering a first set of contentitems without regard to whether a first status is activated ornon-activated; and rendering a second set of content items only if saidfirst status is activated, further comprising the act of obtaining anactivation certificate, wherein said second set of content items areencrypted with a first key, wherein said activation certificate containsa first public/private key pair, and wherein said second set of contentitems are decryptable only in the presence of said activationcertificate, further comprising the act of downloading a securerepository having associated therewith a second public/private key pair,wherein said first key is encrypted with the public key of said firstpublic/private key pair, and wherein said activation certificatecontains the private key of said first public/private key pair in a formencrypted by the public key of said second public/private key pair.